RubyGems - turborex - Versions diffs - 0.1.1 - Mend

turborex 0.1.1

Files changed (74) hide show

checksums.yaml +7 -0
data/LICENSE +674 -0
data/README.md +38 -0
data/README.rdoc +19 -0
data/examples/alpc_client.rb +15 -0
data/examples/alpc_server.rb +14 -0
data/examples/com_client.rb +19 -0
data/examples/com_finder.rb +39 -0
data/examples/create_instance.rb +15 -0
data/examples/cstruct.rb +19 -0
data/examples/find_com_client_calls.rb +16 -0
data/examples/find_rpc_security_callback.rb +12 -0
data/examples/rpc_finder.rb +117 -0
data/examples/scan_exports.rb +5 -0
data/examples/scan_imports.rb +5 -0
data/examples/tinysdk.rb +17 -0
data/lib/turborex.rb +21 -0
data/lib/turborex/cstruct.rb +565 -0
data/lib/turborex/cstruct/struct_helper.rb +7 -0
data/lib/turborex/exception.rb +65 -0
data/lib/turborex/fuzzer.rb +204 -0
data/lib/turborex/fuzzer/containers.rb +115 -0
data/lib/turborex/fuzzer/coverage.rb +67 -0
data/lib/turborex/fuzzer/mutators.rb +25 -0
data/lib/turborex/fuzzer/seed.rb +30 -0
data/lib/turborex/monkey.rb +11 -0
data/lib/turborex/msrpc.rb +14 -0
data/lib/turborex/msrpc/decompiler.rb +244 -0
data/lib/turborex/msrpc/midl.rb +747 -0
data/lib/turborex/msrpc/ndrtype.rb +167 -0
data/lib/turborex/msrpc/rpcbase.rb +777 -0
data/lib/turborex/msrpc/rpcfinder.rb +1426 -0
data/lib/turborex/msrpc/utils.rb +70 -0
data/lib/turborex/pefile.rb +8 -0
data/lib/turborex/pefile/pe.rb +61 -0
data/lib/turborex/pefile/scanner.rb +82 -0
data/lib/turborex/utils.rb +321 -0
data/lib/turborex/windows.rb +402 -0
data/lib/turborex/windows/alpc.rb +844 -0
data/lib/turborex/windows/com.rb +266 -0
data/lib/turborex/windows/com/client.rb +84 -0
data/lib/turborex/windows/com/com_finder.rb +330 -0
data/lib/turborex/windows/com/com_registry.rb +100 -0
data/lib/turborex/windows/com/interface.rb +522 -0
data/lib/turborex/windows/com/utils.rb +210 -0
data/lib/turborex/windows/constants.rb +82 -0
data/lib/turborex/windows/process.rb +56 -0
data/lib/turborex/windows/security.rb +12 -0
data/lib/turborex/windows/security/ace.rb +76 -0
data/lib/turborex/windows/security/acl.rb +25 -0
data/lib/turborex/windows/security/security_descriptor.rb +118 -0
data/lib/turborex/windows/tinysdk.rb +89 -0
data/lib/turborex/windows/utils.rb +138 -0
data/resources/headers/alpc/ntdef.h +72 -0
data/resources/headers/alpc/ntlpcapi.h +1014 -0
data/resources/headers/rpc/common.h +162 -0
data/resources/headers/rpc/guiddef.h +191 -0
data/resources/headers/rpc/internal_ndrtypes.h +262 -0
data/resources/headers/rpc/rpc.h +10 -0
data/resources/headers/rpc/rpcdce.h +266 -0
data/resources/headers/rpc/rpcdcep.h +187 -0
data/resources/headers/rpc/rpcndr.h +39 -0
data/resources/headers/rpc/v4_x64/rpcinternals.h +154 -0
data/resources/headers/rpc/wintype.h +517 -0
data/resources/headers/tinysdk/tinysdk.h +5 -0
data/resources/headers/tinysdk/tinysdk/comdef.h +645 -0
data/resources/headers/tinysdk/tinysdk/dbghelp.h +118 -0
data/resources/headers/tinysdk/tinysdk/guiddef.h +194 -0
data/resources/headers/tinysdk/tinysdk/memoryapi.h +12 -0
data/resources/headers/tinysdk/tinysdk/poppack.h +12 -0
data/resources/headers/tinysdk/tinysdk/pshpack4.h +13 -0
data/resources/headers/tinysdk/tinysdk/winnt.h +1059 -0
data/resources/headers/tinysdk/tinysdk/wintype.h +326 -0
metadata +290 -0

data/lib/turborex/windows/com/utils.rb ADDED

@@ -0,0 +1,210 @@
+module TurboRex
+  class Windows < Metasm::WinOS
+    module COM
+      module Utils
+        def self.marshal_interface(object, mshctx=MSHCTX_DIFFERENTMACHINE, mshlflags=MSHLFLAGS_NORMAL)
+          iid = object.iid
+          _iid = "{#{iid}}"
+          pstr_iid = Win32API.alloc_c_ary('OLECHAR', _iid.chars.push(0).map{|c|c.ord})
+          iid = Win32API.alloc_c_struct('CLSID')
+          Win32API.clsidfromstring(pstr_iid, iid)
+          istream = create_istream
+          hr = Win32API.comarshalinterface(istream.this, iid, object.this, mshctx, 0, mshlflags)
+          return false unless TinySDK.nt_success?(hr)
+          istream
+        end
+        def self.marshal_interface_to_string(object, mshctx=MSHCTX_DIFFERENTMACHINE, mshlflags=MSHLFLAGS_NORMAL)
+          # https://thrysoee.dk/InsideCOM+/ch15c.htm
+          istream = marshal_interface(object, mshctx, mshlflags)
+          return false unless istream
+          phglobal = Win32API.alloc_c_ptr('HGLOBAL')
+          size = Win32API.alloc_c_ptr('ULONG')
+          iid = object.iid
+          _iid = "{#{iid}}"
+          pstr_iid = Win32API.alloc_c_ary('OLECHAR', _iid.chars.push(0).map{|c|c.ord})
+          iid = Win32API.alloc_c_struct('CLSID')
+          Win32API.clsidfromstring(pstr_iid, iid)
+          hr = Win32API.cogetmarshalsizemax(size, iid, object.this, mshctx, 0, mshlflags)
+          return false unless TinySDK.nt_success?(hr)
+          Win32API.gethglobalfromstream(istream.this, phglobal)
+          addr = Win32API.globallock(phglobal[0])
+          objref = Win32API.memory_read(addr, size[0])
+          Win32API.globalunlock(phglobal[0])
+          istream.Release
+          objref
+        end
+        def self.unmarshal_interface(stream, riid, interface=nil)
+          riid =~ /\{.+\}/ ? _iid = riid : _iid = "{#{riid}}"
+          pstr_iid = Win32API.alloc_c_ary('OLECHAR', _iid.chars.push(0).map{|c|c.ord})
+          iid = Win32API.alloc_c_struct('CLSID')
+          ppv = Win32API.alloc_c_ptr('PVOID')
+          Win32API.clsidfromstring(pstr_iid, iid)
+          hr = Win32API.counmarshalinterface(stream.this, iid, ppv)
+          raise hr.to_s unless TinySDK.nt_success?(hr)
+          pthis = ppv[0]
+          return pthis unless interface
+          interface.this = pthis
+          interface
+        end
+        def self.unmarshal_interface_from_string(objref, riid, interface=nil)
+          istream = create_istream
+          return false unless istream
+          buf = Win32API.alloc_c_ary('BYTE', objref.bytesize)
+          buf.str = objref
+          hr = istream.Write(buf, objref.bytesize, 0)
+          return false unless TinySDK.nt_success?(hr)
+          # WTF? Why dlibMove won't work?
+          # dlibMove = Win32API.alloc_c_struct('LARGE_INTEGER')
+          # dlibMove.QuadPart = 0
+          # istream.Seek(dlibMove, 0, 0)
+          istream.Seek(0, 0, 0)
+          phglobal = Win32API.alloc_c_ptr('HGLOBAL')
+          Win32API.gethglobalfromstream(istream.this, phglobal)
+          addr = Win32API.globallock(phglobal[0])
+          objref = Win32API.memory_read(addr, 292)
+          unmarshal_interface(istream, riid, interface)
+        end
+        def self.create_istream
+          ppstm = Win32API.alloc_c_ptr('LPSTREAM')
+          hr = Win32API.createstreamonhglobal(0, 1, ppstm)
+          return false unless TinySDK.nt_success?(hr)
+          istream = Interface::IStream.new
+          istream.this = ppstm[0]
+          istream
+        end
+        def self.create_istorage(name, mode=STGM_SHARE_EXCLUSIVE|STGM_CREATE|STGM_READWRITE)
+          wname = Win32API.alloc_c_ary('WCHAR', name.chars.map{|c|c.unpack('C').first}.push(0))
+          ppstgOpen = Win32API.alloc_c_ptr('LPSTORAGE')
+          hr = Win32API.stgcreatedocfile(wname, mode, 0, ppstgOpen)
+          return false unless TinySDK.nt_success?(hr)
+          istorage = Interface::IStorage.new
+          istorage.this = ppstgOpen[0]
+          istorage
+        end
+        def self.clsid_to_raw(clsid)
+          pstr_clsid = INTERNAL_APIPROXY.alloc_c_ary('OLECHAR', "{#{clsid}}".chars.push(0).map{|c|c.ord})
+          pclsid = INTERNAL_APIPROXY.alloc_c_ptr('CLSID')
+          return unless INTERNAL_APIPROXY.clsidfromstring(pstr_clsid, pclsid).nil?
+          pclsid
+        end
+        def self.dll_get_class_object(rclsid, dll, interface=Interface::IClassFactory.new)
+          _api_proxy = TurboRex::Windows::COM::INTERNAL_APIPROXY.dup
+          _api_proxy.new_api_c <<-EOS, dll
+            HRESULT DllGetClassObject(
+              REFCLSID rclsid,
+              REFIID   riid,
+              LPVOID   *ppv
+            );
+          EOS
+          rclsid = clsid_to_raw(rclsid)
+          riid = clsid_to_raw(interface.iid)
+          ppv = _api_proxy.alloc_c_ptr('PVOID')
+          unless hr = _api_proxy.dllgetclassobject(rclsid, riid, ppv)
+            interface.this = ppv[0]
+            return interface
+          end
+          raise "Failed to call DllGetClassObject(): #{TinySDK.format_hex_ntstatus(hr, hex_str: true)}"
+        end
+        def get_disptbl_count(proxy_file_info)
+          pcif_stub_vtbl_list = to_ptr(@memory.get_page(proxy_file_info.pStubVtblList, @ptr_len))
+          if_stub_vtbl = TurboRex::Windows::COM::INTERNAL_APIPROXY.alloc_c_struct('CInterfaceStubVtbl')
+          if_stub_vtbl.str = @memory.get_page(pcif_stub_vtbl_list, if_stub_vtbl.sizeof)
+          return if_stub_vtbl.header.DispatchTableCount
+        end
+        def get_proxy_file_info(iid)
+          # TODO: Replace to call CoGetPSClsid()
+          require 'win32/registry'
+          Win32::Registry::HKEY_CLASSES_ROOT.open("Interface\\{#{iid}}") do |reg|
+            psclsid32_key = reg.open('ProxyStubClsid32')
+            ps_clsid = psclsid32_key.read('').last
+            psclsid32_key.close
+            Win32::Registry::HKEY_CLASSES_ROOT.open("CLSID\\#{ps_clsid}") do |reg_clsid|
+              inproc32_key = reg_clsid.open('InprocServer32')
+              dll_path = inproc32_key.read_s_expand('')
+              inproc32_key.close
+              return internal_get_proxyfile(dll_path, ps_clsid.delete('{}'))
+            end
+          end
+        end
+        # Note: The interface stub should be standard.
+        def get_pid_by_std_objref(interface)
+          objref = TurboRex::Windows::Win32API.decode_c_struct('OBJREF', interface.marshal_to_string)
+          objref.u_standard.std.ipid.Data2
+        end
+        def internal_get_proxyfile(path, clsid)
+          _api_proxy = TurboRex::Windows::COM::INTERNAL_APIPROXY.dup
+          _api_proxy.new_api_c <<-EOS, path
+            void RPC_ENTRY GetProxyDllInfo( const ProxyFileInfo*** pInfo, const CLSID ** pId );
+            HRESULT DllGetClassObject(
+              REFCLSID rclsid,
+              REFIID   riid,
+              LPVOID   *ppv
+            );
+          EOS
+          begin
+            ppproxy_fileinfo = _api_proxy.alloc_c_ptr('PVOID')
+            proxy_file_info = _api_proxy.alloc_c_struct('ProxyFileInfo')
+            ppclsid = _api_proxy.alloc_c_ptr('PVOID')
+            _api_proxy.getproxydllinfo(ppproxy_fileinfo, ppclsid)
+            pproxy_file_info = to_ptr(@memory.get_page(to_ptr(ppproxy_fileinfo.str), @ptr_len))
+            proxy_file_info.str = @memory.get_page(pproxy_file_info, proxy_file_info.sizeof)
+          rescue NoMethodError # GetProxyDllInfo() is not exported
+            ipsfactory = Interface::IPSFactoryBuffer.new
+            Utils.dll_get_class_object(clsid, path, ipsfactory)
+            cstd_psfactory = _api_proxy.alloc_c_struct('CStdPSFactoryBuffer')
+            cstd_psfactory.str =  @memory.get_page(ipsfactory.this, cstd_psfactory.sizeof)
+            pproxy_file_info = to_ptr(@memory.get_page(cstd_psfactory.pProxyFileList, @ptr_len))
+            proxy_file_info = _api_proxy.alloc_c_struct('ProxyFileInfo')
+            proxy_file_info.str = @memory.get_page(pproxy_file_info, proxy_file_info.sizeof)
+            ipsfactory.Release
+          end
+          proxy_file_info
+        end
+        def to_ptr(raw)
+          format = case @ptr_len
+          when 8
+            'Q'
+          when 4
+            'L'
+          end
+          raw.unpack(format).first
+        end
+      end
+    end
+  end
+end

data/lib/turborex/windows/constants.rb ADDED

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+module TurboRex
+  class Windows < Metasm::WinOS
+    module Constants
+      # Impersonation Level
+      SecurityAnonymous = 0
+      SecurityIdentification = 1
+      SecurityImpersonation = 2
+      SecurityDelegation = 3
+      # Security Descriptor Control
+      SE_OWNER_DEFAULTED  =             0x0001
+      SE_GROUP_DEFAULTED  =             0x0002
+      SE_DACL_PRESENT     =             0x0004
+      SE_DACL_DEFAULTED   =             0x0008
+      SE_SACL_PRESENT     =             0x0010
+      SE_SACL_DEFAULTED   =             0x0020
+      SE_DACL_AUTO_INHERIT_REQ  =       0x0100
+      SE_SACL_AUTO_INHERIT_REQ  =       0x0200
+      SE_DACL_AUTO_INHERITED  =         0x0400
+      SE_SACL_AUTO_INHERITED  =         0x0800
+      SE_DACL_PROTECTED  =              0x1000
+      SE_SACL_PROTECTED  =              0x2000
+      SE_RM_CONTROL_VALID =             0x4000
+      SE_SELF_RELATIVE = 0x8000
+      ## ACE Type
+      ACCESS_MIN_MS_ACE_TYPE  =                0x0
+      ACCESS_ALLOWED_ACE_TYPE =                0x0
+      ACCESS_DENIED_ACE_TYPE  =                0x1
+      SYSTEM_AUDIT_ACE_TYPE   =                0x2
+      SYSTEM_ALARM_ACE_TYPE   =                0x3
+      ACCESS_MAX_MS_V2_ACE_TYPE =              0x3
+      ACCESS_ALLOWED_COMPOUND_ACE_TYPE =       0x4
+      ACCESS_MAX_MS_V3_ACE_TYPE =              0x4
+      ACCESS_MIN_MS_OBJECT_ACE_TYPE  =         0x5
+      ACCESS_ALLOWED_OBJECT_ACE_TYPE  =        0x5
+      ACCESS_DENIED_OBJECT_ACE_TYPE  =         0x6
+      SYSTEM_AUDIT_OBJECT_ACE_TYPE =           0x7
+      SYSTEM_ALARM_OBJECT_ACE_TYPE =           0x8
+      ACCESS_MAX_MS_OBJECT_ACE_TYPE  =         0x8
+      ACCESS_MAX_MS_V4_ACE_TYPE  =             0x8
+      ACCESS_MAX_MS_ACE_TYPE =                 0x8
+      ACCESS_ALLOWED_CALLBACK_ACE_TYPE =       0x9
+      ACCESS_DENIED_CALLBACK_ACE_TYPE  =       0xA
+      ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE = 0xB
+      ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE =  0xC
+      SYSTEM_AUDIT_CALLBACK_ACE_TYPE =         0xD
+      SYSTEM_ALARM_CALLBACK_ACE_TYPE =         0xE
+      SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE  = 0xF
+      SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE  = 0x10
+      SYSTEM_MANDATORY_LABEL_ACE_TYPE =        0x11
+      SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE =     0x12
+      SYSTEM_SCOPED_POLICY_ID_ACE_TYPE =       0x13
+      SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE =    0x14
+      SYSTEM_ACCESS_FILTER_ACE_TYPE =          0x15
+      ACCESS_MAX_MS_V5_ACE_TYPE =              0x15
+      # ACE Flag
+      OBJECT_INHERIT_ACE  =              0x1
+      CONTAINER_INHERIT_ACE =            0x2
+      NO_PROPAGATE_INHERIT_ACE =         0x4
+      INHERIT_ONLY_ACE =                 0x8
+      INHERITED_ACE  =                   0x10
+      VALID_INHERIT_FLAGS =              0x1F
+      CRITICAL_ACE_FLAG =                0x20
+      SUCCESSFUL_ACCESS_ACE_FLAG =       0x40
+      FAILED_ACCESS_ACE_FLAG =           0x80
+      TRUST_PROTECTED_FILTER_ACE_FLAG =  0x40
+      # UnOfficial
+      MAX_BUCKETS_NUM = 0x17
+    end
+  end
+end

data/lib/turborex/windows/process.rb ADDED

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module TurboRex
+  class Windows < Metasm::WinOS
+    class Process < Metasm::WinOS::Process
+      def disassembler
+        return @disassembler if @disassembler
+        case self.cpusz
+        when 32
+          @disassembler = Metasm::Shellcode.decode(self.memory, Metasm::Ia32.new).disassembler
+        when 64
+          @disassembler = Metasm::Shellcode.decode(self.memory, Metasm::X86_64.new).disassembler
+        end
+      end
+      def load_symbol_table(libname)
+        initialize_sym_handler
+        unless lib = modules.find { |m| m.path =~ Regexp.new(libname, true) }
+          return false
+        end
+        if Win32API.symloadmoduleex(self.handle, 0, libname, 0, lib.addr, lib.size, 0, 0) == 0 &&
+           Win32API.getlasterror != 0
+            return false
+        end
+        # module_info = Win32API.alloc_c_struct('IMAGEHLP_MODULE64')
+        # module_info.SizeOfStruct = module_info.sizeof
+        # unless Win32API.symgetmoduleinfo64(self.handle, lib.addr, module_info) == 1
+        #   return false
+        # end
+        true
+      end
+      def close_handle
+        Metasm::WinAPI.closehandle(handle)
+      end
+      private
+      def initialize_sym_handler
+        return true if @sym_handler_initialized
+        Win32API.syminitialize(self.handle, 0, false)
+        Win32API.symsetoptions(Win32API.symgetoptions |
+                               Win32API::SYMOPT_DEFERRED_LOADS |
+                               Win32API::SYMOPT_NO_PROMPTS # | Win32API::SYMOPT_DEBUG
+                               )
+        sympath = ENV.fetch('_NT_SYMBOL_PATH') { 'srv*C:\\symbols*https://msdl.microsoft.com/download/symbols;' }
+        Win32API.symsetsearchpath(self.handle, sympath.dup)
+        @sym_handler_initialized = true
+      end
+    end
+  end
+end

data/lib/turborex/windows/security.rb ADDED

@@ -0,0 +1,12 @@
+warn "\033[33m[-]Warning: This module doesn't currently work on non-Windows os.\033[0m" unless OS.windows?
+module TurboRex
+  class Windows < Metasm::WinOS
+    module Security
+      include TurboRex::Windows::Constants
+      require 'turborex/windows/security/ace.rb'
+      require 'turborex/windows/security/acl.rb'
+      require 'turborex/windows/security/security_descriptor.rb'
+    end
+  end
+end

data/lib/turborex/windows/security/ace.rb ADDED

@@ -0,0 +1,76 @@
+module TurboRex
+  class Windows < Metasm::WinOS
+    module Security
+      class ACE
+        attr_reader :type
+        attr_reader :flags
+        def initialize(type, flags)
+          @type = type
+          @flags = flags
+        end
+        def self.from_raw(raw)
+          ace_header = TurboRex::Windows::Win32API.decode_c_struct('ACE_HEADER', raw)
+          sid_offset = ace_header.sizeof + 4
+          type = ace_header.AceType
+          flags = ace_header.AceFlags
+          mask = raw[ace_header.sizeof, 4].unpack('V').first
+          sid = TurboRex::Windows::Win32API.decode_c_struct('SID', raw, sid_offset)
+          ppszsid = TurboRex::Windows::Win32API.alloc_c_ptr('LPSTR')
+          if TurboRex::Windows::Win32API.convertsidtostringsida(sid, ppszsid) == 0
+            raise "Unable to call ConvertSidToStringSidA. GetLastError returns: #{TurboRex::Windows::Win32API.getlasterror}"
+          end
+          sz_sid = TurboRex::Windows::Win32API.memory_read_strz(ppszsid[0])
+          case type
+          when TurboRex::Windows::Constants::ACCESS_DENIED_ACE_TYPE
+            AccessDeniedACE.new(mask, sz_sid, flags)
+          when TurboRex::Windows::Constants::ACCESS_ALLOWED_ACE_TYPE
+            AccessAllowedACE.new(mask, sz_sid, flags)
+          end
+        end
+      end
+      class AccessAllowedACE < ACE
+        attr_reader :mask
+        attr_reader :sid
+        attr_reader :short
+        def initialize(mask, sid, flags, type=TurboRex::Windows::Constants::ACCESS_ALLOWED_ACE_TYPE)
+          @mask = mask
+          @sid = sid
+          @short = :allowed
+          super(type, flags)
+        end
+      end
+      class AccessDeniedACE < ACE
+        attr_reader :mask
+        attr_reader :sid
+        attr_reader :short
+        def initialize(mask, sid, flags, type=TurboRex::Windows::Constants::ACCESS_DENIED_ACE_TYPE)
+          @mask = mask
+          @sid = sid
+          @short = :denied
+          super(type, flags)
+        end
+      end
+      class SystemAuditAce < ACE
+        attr_reader :mask
+        attr_reader :sid
+        attr_reader :short
+        def initialize(mask, sid, flags, type=TurboRex::Windows::Constants::SYSTEM_AUDIT_ACE_TYPE)
+          @mask = mask
+          @sid = sid
+          @short = :audit
+          super(type, flags)
+        end
+      end
+    end
+  end
+end

data/lib/turborex/windows/security/acl.rb ADDED

@@ -0,0 +1,25 @@
+require 'turborex/windows/security/ace.rb'
+module TurboRex
+  class Windows < Metasm::WinOS
+    module Security
+      class ACL
+        class DACL < ACL
+          attr_reader :revision
+          attr_reader :count
+          attr_reader :ace_list
+          def initialize(revision, count, ace_list=[])
+            @revision = revision
+            @count = count
+            @ace_list = ace_list.freeze
+          end
+          def self.from_raw(raw)
+            raise NotImplementedError
+          end
+        end
+      end
+    end
+  end
+end